Running secure user services in a hostile environment TROOS – Trusted Open OS, the basis for a trustzone based open TEE Assaf Rosenbuam, Eli Biham and Sara Bitan Department of Computer Science, Technion Do you trust your OS? We don’t... 0 20 40 60 Critical vulnerabiliteis found Jan–Apr 2017 How to protect critical assets from a compromised OS? Exploitation of an OS vulnerability might leave the system resources completely exposed to attacks. Hence, we need a mechanism (entity) that can be trusted even when the OS is breached. Trusted Execution Environment (TEE) We need an environment in which we can safely store critical data and perform critical processing User Space OS TEE Current TEE technologies Intel software guard extension (SGX) SGX enables to run secure services in an isolated execution environment (called enclave), embedded in the process virtual memory space. ARM TrsutZone TrustZone provides a technology to run two virtual worlds – a Normal World (NW) and Secure World (SW) – on the same CPU. This mechanism is an infrastructure on which we can create a Trusted Execution Environment. The Genode OS framework Application TCB in Genode Genode is an open source operat- ing system framework designed for increased security. Genode main- tains strong application isolation properties and is designed to keep each application Trusted Computing Base (TCB) as small as possible. Our contribution – TROOS Our goal is to provide a TEE for user services (much like Intel’s SGX). We use Genode as the basis for our trusted OS. On top of the native Core and Init components, which are the system kernel and first user process respectively, we added a few more com- ponents to enable trusted user services – trustlets – loading and execution. TZ VMM: Intercepts SMCs and handles the switch between the two worlds. Loader: Responsible of loading and verifying the trustlets code from the normal world. Trustlet Manager: Acts as a container for the trustlets. Manages the trustlets resources allocation. Crypto: Will provide each trustlet with unique keys, accessible only to it and only while running on the secure world. Trustlet TCB on TROOS Core Init TZ VMM Trustlets Manager Trustlet1 Trustlet2 Trustlet3 Loader Crypto Notice that in TROOS, a trustlet must not trust the other trustlets in the system. A trustlet doesn’t even need to trust the TROOS services, unless it wishes to use them. Secure world interface The normal world OS utilizes the secure world in- terface in order to create and execute trustlets ac- cording to its needs via SMCs. As part of our efforts to keep the system attack surface as small as possi- ble, we keep the number of SMCs at the bare min- imum. The most significant SMCs are described in the following table: SMC Description Tcreate create a new (empty) trustlet Tload load and measure the trustlet code Tinit mark trustlet as ready to run Tstart start executing a trustlet Tresume resume trustlet run after it was stopped Tdestroy stop the trustlet run and free its resources Future work Our next step is to complete the system implemen- tation with all of the designed components. We then plan to deliver an elaborated security analysis of the system and a comparison to existing TEEs (TrustZone based and others). The preference im- pact on the normal world will be tested as well. Due to time constrains, there are aspects that we do not plan to address at this stage, even though they surely are beneficial to TROOS. For example: • Integrating a secure element. • Extending system abilities with secure IO. • Utilizing on chip memory to better protect trustlets code and data against probing. Contact Information